February 26, 2015 at 12:32Law enforcement authorities bring down Ramnit botnet
Law enforcement agencies, together with security companies, carried out an operation to seize and disable the infrastructure of a large Ramnit malware botnet, which includes more than three million bots (infected computers). The operation involved the organization Europol, as well as CERT of various countries of the world, including, Germany, Italy, Holland, Great Britain.
Ramnit itself (ESET: Win32 / Ramnit.X , Microsoft: Win32 / Ramnit , Trojan: WinNT / Ramnit , Symantec: W32.Ramnit , Hacktool.Rootkit) possesses a modular architecture and was used by cybercriminals for various purposes, including theft of user online banking data. Subsequently, this stolen data was used to steal users ’money (criminal scheme). Ramnit has self-propagation mechanisms (file virus), performs many modifications in the system, and also contains a rootkit.
Ramnit includes the following modules:
The list of various system modifications that one of the Ramnit modifications can implement in the system here . To ensure its survival in the system, it completely disrupts the protected mode of Windows by deleting the registry keys that are responsible for its implementation.
Ramnit itself (ESET: Win32 / Ramnit.X , Microsoft: Win32 / Ramnit , Trojan: WinNT / Ramnit , Symantec: W32.Ramnit , Hacktool.Rootkit) possesses a modular architecture and was used by cybercriminals for various purposes, including theft of user online banking data. Subsequently, this stolen data was used to steal users ’money (criminal scheme). Ramnit has self-propagation mechanisms (file virus), performs many modifications in the system, and also contains a rootkit.
On February 24, Europol's European Cybercrime Center (EC3) coordinated a joint international operation from its operational center in The Hague, which targeted the Ramnit botnet that had infected 3.2 million computers all around the world. The operation involved investigators from Germany, Italy, the Netherlands, and the United Kingdom - who led the operation - along with partners from private industry.
Ramnit includes the following modules:
- The module for stealing data from a browser (grabber): injects its malicious code (injector) into the process of a working browser and steals online banking data by manipulating the forms displayed to the user.
- Cookie theft module (cookie grabber): steals the cookie of the current browser session and sends them to the remote server of the attackers; in the future, cookies can be used by cybercriminals to present themselves as real users to the system.
- Rootkit: used to remove kernel hooks (SSDTs) that security products can use to protect the system.
- Anti-AV module: disrupts all kinds of AV / security products, including standard Windows Firewall, Defender, UAC.
- File collection module: scans the file system of the disk for the presence of special files there that can be of value (store online banking data). These files will be sent to the remote server.
- VNC module : provides attackers with remote access to the system.
The list of various system modifications that one of the Ramnit modifications can implement in the system here . To ensure its survival in the system, it completely disrupts the protected mode of Windows by deleting the registry keys that are responsible for its implementation.